pith. sign in

arxiv: 1912.00049 · v3 · pith:6Q2SLA7Anew · submitted 2019-11-29 · 💻 cs.LG · cs.CR· cs.CV· stat.ML

Square Attack: a query-efficient black-box adversarial attack via random search

classification 💻 cs.LG cs.CRcs.CVstat.ML
keywords attackblack-boxsquarestate-of-the-artadversarialcomparedgradientinfty
0
0 comments X
read the original abstract

We propose the Square Attack, a score-based black-box $l_2$- and $l_\infty$-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized square-shaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least $1.8$ and up to $3$ compared to the recent state-of-the-art $l_\infty$-attack of Al-Dujaili & O'Reilly. Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at https://github.com/max-andr/square-attack.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 5 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. LambdaMark: Semantic Audio Watermarking for Robustness and Radioactivity

    cs.SD 2026-06 unverdicted novelty 8.0

    LambdaMark is the first generic radioactive audio watermark that injects multi-bit messages into semantic latent representations, achieving robustness to distortions and removal attacks even after downstream model finetuning.

  2. MIRAGE: Protecting against Malicious Image Editing via False Moderation

    cs.CR 2026-06 unverdicted novelty 7.0

    MIRAGE immunizes images by aligning them to policy-violating concepts in open-source moderation embedding spaces, triggering automatic refusals in commercial image editing APIs with over 88% success.

  3. MIRAGE: Protecting against Malicious Image Editing via False Moderation

    cs.CR 2026-06 unverdicted novelty 7.0

    MIRAGE immunizes images by crafting perturbations that align them with policy-violating concepts in open-source moderation models, triggering refusals in closed-source commercial image editors at over 88% success rate.

  4. HarmonicAttack: An Adaptive Cross-Domain Audio Watermark Removal

    cs.SD 2025-11 conditional novelty 6.0

    A black-box audio watermark removal attack trained on limited samples that generalizes across datasets and watermark schemes with high attack success rates.

  5. NeuroTrace: Inference Provenance-Based Detection of Adversarial Examples

    cs.CR 2026-04 unverdicted novelty 5.0

    NeuroTrace framework builds heterogeneous graphs of inference provenance to detect adversarial examples in DNNs, showing strong transferable performance across attack families in vision and malware domains.